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Abstract. We introduce the first program synthesis engine implemented inside 
an SMT solver. We present an approach that extracts solution functions from un¬ 
satisfiability proofs of the negated form of synthesis conjectures. We also discuss 
novel counterexample-guided techniques for quantifier instantiation that we use 
to make finding such proofs practically feasible. A particularly important class of 
specifications are single-invocation properties, for which we present a dedicated 
algorithm. To support syntax restrictions on generated solutions, our approach 
can transform a solution found without restrictions into the desired syntactic 
form. As an alternative, we show how to use evaluation function axioms to embed 
syntactic restrictions into constraints over algebraic datatypes, and then use an 
algebraic datatype decision procedure to drive synthesis. Our experimental eval¬ 
uation on syntax-guided synthesis benchmarks shows that our implementation in 
the CVC4 SMT solver is competitive with state-of-the-art tools for synthesis. 


1 Introduction 

The synthesis of functions that meet a given specification is a long-standing fundamen¬ 
tal goal that has received great attention recently. This functionality directly applies to 
the synthesis of functional programs II171I18II but also translates to imperative programs 
through techniques that include bounding input space, verification condition generation, 
and invariant discovery Il27l429]| . Function synthesis is also an important subtask in the 
synthesis of protocols and reactive systems, especially when these systems are infinite- 
state Il3l l2^ . The SyGuS format and competition ifTl lTlI^ inspired by the success of the 
SMT-LIB and SMT-COMP efforts IS), has significantly improved and simplified the 
process of rigorously comparing different solvers on synthesis problems. 

Connection between synthesis and theorem proving was established already in early 
work on the subject 012112011 . It is notable that early research 1201 found that the capa¬ 
bilities of theorem provers were the main bottleneck for synthesis. Taking lessons from 
automated software verification, recent work on synthesis has made use of advances 

* This work is supported in part by the European Research Council (ERC) Project Implicit Pro¬ 
gramming and Swiss National Science Foundation Grant Constraint Solving Infrastructure for 
Program Analysis. 

** This paper is dedicated to the memory of Morgan Deters who died unexpectedly in Jan 2015. 






2 


Andrew Reynolds, Morgan Deters, Viktor Kuncak, Cesare Tinelli, and Clark Barrett 


in theorem proving, particularly in SAT and SMT solvers. However, that work avoids 
formulating the overall synthesis task as a theorem proving problem directly. Instead, 
existing work typically builds custom loops outside of an SMT or SAT solver, often us¬ 
ing numerous variants of counterexample-guided synthesis. A typical role of the SMT 
solver has been to validate candidate solutions and provide counterexamples that guide 
subsequent search, although approaches such as symbolic term exploration Ea also 
use an SMT solver to explore a representation of the space of solutions. In existing 
approaches, SMT solvers thus receive a large number of separate queries, with limited 
communication between these different steps. 

Contributions. In this paper, we revisit the formulation of the overall synthesis task as 
a theorem proving problem. We observe that SMT solvers already have some of the key 
functionality for synthesis; we show how to improve existing algorithms and introduce 
new ones to make SMT-based synthesis competitive. Specifically, we do the following. 

- We show how to formulate an important class of synthesis problems as the prob¬ 
lem of disproving universally quantified formulas, and how to synthesize functions 
automatically from selected instances of these formulas. 

- We present counterexample-guided techniques for quantifier instantiation, which 
are crucial to obtain competitive performance on synthesis tasks. 

- We discuss techniques to simplify the synthesized functions, to help ensure that 
they are small and adhere to specified syntactic requirements. 

- We show how to encode syntactic restrictions using theories of algebraic datatypes 
and axiomatizable evaluation functions. 

- We show that for an important class of single-invocation properties, the synthesis of 
functions from relations, the implementation of our approach in CVC4 significantly 
outperforms leading tools from the SyGuS competition. 

Preliminaries. Since synthesis involves finding (and so proving the existence) of func¬ 
tions, we use notions from many-sorted second-order logic to define the general prob¬ 
lem. We fix a set S of sort symbols and an (infix) equality predicate of type cr x tr for 
each CT € S. For every non-empty sort sequence cr S S+ with cr — ai ■■ ■ Oncr, we fix 
an infinite set Xo- of variables of type cti x • • • x —>■ ct. For each sort a we 

identity the type () —;■ cr with a and call it a first-order type. We assume the sets X^- are 
pairwise disjoint and let X be their union. A signature E consists of a set X® C S of sort 
symbols and a set E^ of function symbols y<ri '<rn<r of type cri x ■ • • x cr„ —>• cr, where 
n > 0 and cji,..., cr„, cr S X®. We drop the sort superscript from variables or function 
symbols when it is clear from context or unimportant. We assume that signatures al¬ 
ways include a Boolean sort Bool and constants T and _L of type Bool (respectively, for 
true and false). Given a many-sorted signature E together with quantifiers and lambda 
abstraction, the notion of well-sorted (Z'-)term, atom, literal, clause, and formula with 
variables in X are defined as usual in second-order logic. All atoms have the form s « f. 
Having w as the only predicate symbol causes no loss of generality since we can model 
other predicate symbols as function symbols with return sort Bool. We will, however, 
write just t in place of the atom t fv T, to simplify the notation. A X-term/formula is 
ground if it has no variables, it is first-order if it has only first-order variables, that is, 
variables of first-order type. When x = (xi,... ,Xn) is a tuple of variables and Q is 
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either V or 3, we write Qx tp as an abbreviation of Qxi ■ • ■ Qxn p. If e is a Z'-term or 
formula and x = (xi,..., Xn) has no repeated variables, we write e[a;] to denote that 
all of e’s free variables are from £c; if t = (fi,..., f„) is a term tuple, we write e[t] for 
the term or formula obtained from e by simultaneously replacing, for alH = 1,... ,n, 
every occurrence of Xi in e by ti. A U-interpretation X maps: each ct G to a non¬ 
empty set (7^, the domain of a in X, with BooF = {T, _L}; each G X U 

to a total function : af x ■■■ x ^ when n > 0 and to an element of 
when n = 0. The interpretation X induces as usual a mapping from terms t of sort a to 
elements of a^. If xi,..., Xn are variables and ui,..., are well-typed values for 
them, we denote by X[a;i i—>■ vi,..., i-G u„] the X-interpretation that maps each Xi 
to Vi and is otherwise identical to X. A satisfiability relation between ^-interpretations 
and X-formulas is defined inductively as usual. 

A theory is a pair T = (X, I) where X is a signature and I is a non-empty class 
of ^-interpretations, the models of T, that is closed under variable reassignment (i.e., 
every X-interpretation that differs from one in I only in how it interprets the variables is 
also in I) and isomorphism. A X-formula p[x\ is T -satishable (resp., T -unsatishable) 
if it is satisfied by some (resp., no) interpretation in I. A satisfying interpretation for p 
models (oris a model of) p. A formula p is T -valid, written \=t p, if every model of 
T is a model of p. Given a fragment L of the language of X-formulas, a X-theory T is 
satisfaction complete with respect to L if every T-satisfiable formula of L is T-valid. In 
this paper we will consider only theories that are satisfaction complete wrt the formulas 
we are interested in. Most theories used in SMT (in particular, all theories of a specific 
structure such various theories of the integers, reals, strings, algebraic datatypes, bit 
vectors, and so on) are satisfaction complete with respect to the class of closed first- 
order X-formulas. Other theories, such as the theory of arrays, are satisfaction complete 
only with respect to considerably more restricted classes of formulas. 


2 Synthesis inside an SMT Solver 

We are interested in synthesizing computable functions automatically from formal log¬ 
ical specifications stating properties of these functions. As we show later, under the 
right conditions, we can formulate a version of the synthesis problem in first-order 
logic alone, which allows us to tackle the problem using SMT solvers. 

We consider the synthesis problem in the context of some theory T of signature S 
that allows us to provide the function’s specification as a X-formula. Specifically, we 
consider synthesis conjectures expressed as (well-sorted) formulas of the form 

gj-l— ■■■yx^fi P[f,Xl,...,Xn] (1) 

or 3/Vat P[f, x], for short, where the second-order variable / represents the function 
to be synthesized and P is a X-formula encoding properties that / must satisfy for all 
possible values of the input tuple x = (xi,..., a;„). In this setting, finding a witness for 
this satisfiability problem amounts to finding a function of type cri x • • • x (t„ —> ct in 
some model of T that satisfies Va: P[f, x]. Since we are interested in automatic synthe¬ 
sis, we the restrict ourselves here to methods that search over a subspace S of solutions 



4 


Andrew Reynolds, Morgan Deters, Viktor Kuncak, Cesare Tinelli, and Clark Barrett 


representable syntactically as Z’-terms. We will say then that a synthesis conjecture is 
solvable if it has a syntactic solution in S. 

In this paper we present two approaches that work with classes L of synthesis con¬ 
jectures and Z'-theories T that are satisfaction complete wrt L. In both approaches, 
we solve a synthesis conjecture 3f\lxP[f,x\ by relying on quantifier-instantiation 
techniques to produce a first-order i7-term t[x\ of sort cr such that \lxP\t^x\ is T- 
satisfiable. When this t is found, the synthesized function is denoted hy Xx.t. 

In principle, to determine the satisfiability of 3f\/xP[f,x] an SMT solver sup¬ 
porting the theory T can consider the satisfiability of the (open) formula \/x P[/, x] by 
treating / as an uninterpreted function symbol. This sort of Skolemization is not usually 
a problem for SMT solvers as many of them can process formulas with uninterpreted 
symbols. The real challenge is the universal quantification over x because it requires 
the solver to construct internally (a finite representation of) an interpretation of / that 
is guaranteed to satisfy P\f, x\ for every possible value of x 01111231 . 

More traditional SMT solver designs to handle universally quantified formulas have 
focused on instantiation-based methods to show wnsatisfiability. They generate ground 
instances of those formulas until a refutation is found at the ground level iTlOl . While 
these techniques are incomplete in general, they have been shown to be quite effective 
in practice 0^ 12^ . For this reason, we advocate approaches to synthesis geared toward 
establishing the unsatisfiability of the negation of the synthesis conjecture: 

\/f3x^P[f,x] (2) 

Thanks to our restriction to satisfaction complete theories,®! is T -unsatisfiable exactly 
when the original synthesis conjecture ([T]) is T-satisfiableO Moreover, as we explain in 
this paper, a syntactic solution \x. t for ([T]) can be constructed from a refutation of (|2]i, 
as opposed to being extracted from the valuation of / in a model of Va; P[f, a;]. 

Two synthesis methods. Proving (|2|i unsatisfiable poses its own challenge to current 
SMT solvers, namely, dealing with the second-order universal quantification of /. To 
our knowledge, no SMT solvers so far had direct support for higher-order quantifica¬ 
tion. In the following, however, we describe two specialized methods to refute negated 
synthesis conjectures like (|2]i that build on existing capabilities of these solvers. 

The first method applies to a restricted, but fairly common, case of synthesis prob¬ 
lems 3/Va: P[f, x\ where every occurrence of / in P is in terms of the form f{x). In 
this case, we can express the problem in the first-order form \/x.3y.Q[x, y\ and then 
tackle its negation using appropriate quantifier instantiation techniques. 

The second method follows the syntax-guided synthesis paradigm |[T1|2| where the 
synthesis conjecture is accompanied by an explicit syntactic restriction on the space 
of possible solutions. Our syntax-guided synthesis method is based on encoding the 
syntax of terms as first-order values. We use a deep embedding into an extension of the 
background theory T with a theory of algebraic data types, encoding the restrictions of 
a syntax-guided synthesis problem. 

Other approaches in the verification and synthesis literature also rely implicitly, and in some 
cases unwittingly, on this restriction or stronger ones. We make satisfaction completeness ex¬ 
plicit here as a sufficient condition for reducing satisfiability problems to unsatisfiability ones. 
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For the rest of the paper, we fix a S-theory T and a class P of quantifier-free 
S-formulas P[f,x\ such that T is satisfaction complete with respect to the class of 
synthesis conjectures h := {3f\/xP[f,x\ \ P C P}. 

3 Refutation-Based Synthesis 

When axiomatizing properties of a desired function / of type tJi x • ■ • x cr„ —)• cr, a 
particularly well-behaved class are single-invocation properties (see, e.g., ifTSll l. These 
properties include, in particular, standard function contracts, so they can be used to 
synthesize a function implementation given its postcondition as a relation between the 
arguments and the result of the function. This is also the form of the specification for 
synthesis problems considered in complete functional synthesis ifThHTSl . Note that, in 
our case, we aim to prove that the output exists for all inputs, as opposed to, more 
generally, computing the set of inputs for which the output exists. 

A single-invocation property is any formula of the form Q[x,f{x)] obtained as 
an instance of a quantifier-free formula Q[x,y] not containing /. Note that the only 
occurrences of / in Q\x, f{xf are in subterms of the form fix) with the same tuple x 
of pairwise distinct variablesOThe conjecture 3/Va; Q[x, f{x)] is logically equivalent 
to the first-order formula 

yx3yQ[x,y] (3) 

By the semantics of V and 3, finding a model X for it amounts (under the axioms of 
choice) to finding a function h : x - ■ - xa^ ^ such that for all s G erf x • • ■ x erf, 

the interpretation I[a; i—s,j/ i—>• h{s)] satisfies Q[x,y]. This section considers the 
case when P consists of single-invocation properties and describes a general approach 
for determining the satisfiability of formulas like © while computing a syntactic rep¬ 
resentation of a function like h in the process. For the latter, it will be convenient 
to assume that the language of functions contains an if-then-else operator ite of type 
Bool X cr X cr —5> CT for each sort tr, with the usual semantics. 

If (O belongs to a fragment that admits quantifier elimination in T, such as the linear 
fragment of integer arithmetic, determining its satisfiability can be achieved using an 
efficient method for quantifier elimination ITtETI . Such cases have been examined in the 
context of software synthesis OH . Here we propose instead an alternative instantiation- 
based approach aimed at establishing the unsatisfiability of the negated form of Q: 

3xVy^Q[x,y] (4) 

or, equivalently, of a Skolemized version \/y y] of (HJi for some tuple k of fresh 

uninterpreted constants of the right sort. Finding a T -unsatisfiable finite set P of ground 
instances of -^Q[k, y], which is what an SMT solver would do to prove the unsatisfia¬ 
bility of (|4|i, suffices to solve the original synthesis problem. The reason is that, then, a 
solution for / can be constructed directly from P, as indicated by the following result. 

Proposition 1. Suppose some set P = {-i(5[k, fi[k]],..., -'(5[k, fp[k]]} where ti[x\, 

..., tp[x\ are Z'-terms of sort a is T-unsatisfiable. One solution for 3/Va; Q[x, f{x)] 
is Xx. ite{Q[x,tp],tp, (• • • \te{Q[x,t 2 ],t 2 ,ti) ■••)). 


^ An example of a property that is not single-invocation is Vxi X 2 f{xi,X 2 ) ~ f{x 2 , xi). 
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1. r ~ {G => Q[k, e]} where k consists of distinct fresh constants 

2. Repeat 

If there is a model I of T satisfying F and G 

then let F •.= F U {-i(3[k, f[k]]} for some X'-term t[x] such that f[k]^ = e^; 
otherwise, return “no solution found” 
until F contains a T-unsatisfiable set {-i(3[k, [k]],..., -'(5[k, fp[k]]} 

3. Return Aa:. ite(Q[a;, fp[a:]], fp[a;], (••• \te{Q[x,t 2 [x]],t 2 [x],t-i_[x]) • • •)) for / 

Fig.1.A refutation-based synthesis procedure for single-invocation property 3/Vcc Q[x, f{x)]. 

Proof: Let ^ be the solution specified above, and let u be an arbitrary set of ground 
terms of the same sort as x. Given a model I, we show that X |= (5 [m, (.{u)]. Consider 
the case that I |= Q[u, L[m]] for some i G {2,... ,p}; pick the greatest such i. Then, 
i{u)^ = (L[it])^, and thus I |= Q[u, i{u)]. If no such i exists, then 11= -'Q[u, ti[u]] 
for alH = 2,... ,p, and £{u)^ = (tiSince F is T-unsatisfiable and k are fresh, 
we have -^Q[u,t 2 [u]], ..., -^Q[u, fp[M]] \=t GM]. which is Q[u,£{u)\. ■ 


Example L Let T be the theory of linear integer arithmetic with the usual signature and 
integer sort Int. Let x = {xi,X2)- Now consider the property 

p[f, x] ■■= fix) >xi A fix) >X2A ifix) ^xiV fix) Ri X2) (5) 

with / of type Int x Int — s- Int and a;i,X2 of type Int. The synthesis problem 
3/Va;P[/, a;] is solved exactly by the function that returns the maximum of its two 
inputs. Since P is a single-invocation property, we can solve that problem by proving 
the T-unsatisfiability of the conjecture 3a; Vy -'Q[x, y] where 

Q[x, y] ■■= y > xi Ay > X2 Aiy Ki xiV y Ki X2) ( 6 ) 

After Skolemization the conjecture becomes Vy ^Q[a,y] for fresh constants a = 
(ai, 82). When asked to determine the satisfiability of that conjecture an SMT solver 
may, for instance, instantiate it with ai and then a2 for y, producing the T-unsatishable 
set {-'Q[a, ai],-iQ[a, a 2 ]}. By Proposition [T] one solution for Va;P[/, a;] is / = 
\x.\teiQ\x,X2\,X2,xi), which simplifies to Aa;. ite(x2 > xi,X2,xi), representing 
the desired maximum function. ■ 

Synthesis by Counterexample-Guided Quantifier Instantiation. Given Proposi- 
tion[T] the main question is how to get the SMT solver to generate the necessary ground 
instances from My ^Q^,y\. Typically, SMT solvers that reason about quantified for¬ 
mulas use heuristic quantifier instantiation techniques based on E-matching which 
instantiates universal quantifiers with terms occurring in some current set of ground 
terms built incrementally from the input formula. Using E-matching-based heuristic in¬ 
stantiation alone is unlikely to be effective in synthesis, where required terms need to 
be synthesized based on the semantics of the input specification. This is confirmed by 
our preliminary experiments, even for simple conjectures. We have developed instead 
a specialized new technique, which we refer to as counterexample-guided quantifier 
instantiation, that allows the SMT solver to quickly converge in many cases to the in¬ 
stantiations that refute the negated synthesis conjecture (|4|. 
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The new technique is similar to a popular scheme for synthesis known as 
counterexample-guided inductive synthesis, implemented in various synthesis ap¬ 
proaches (e.g., MM), but with the major difference of being built-in directly into 
the SMT solver. The technique is illustrated by the procedure in Figure [T] which grows 
a set r of ground instances of -'Q[k, y] starting with the formula G Q[k, e] where 
G and e are fresh constants of sort Bool and a, respectively. Intuitively, e represents a 
current, partial solution for the original synthesis conjecture 3/ Vx Q\x, f{x)], while G 
represents the possibility that the conjecture has a (syntactic) solution in the first place. 

The procedure, which may not terminate in general, terminates either when F be¬ 
comes unsatisfiable, in which case it has found a solution, or when F is still satisfiable 
but all of its models falsify G, in which case the search for a solution was inconclusive. 
The procedure is not solution-complete, that is, it is not guaranteed to return a solution 
whenever there is one. However, thanks to Proposition [T] it is solution-sound: every 
A-term it returns is indeed a solution of the original synthesis problem. 

Finding instantiations. The choice of the term t in Step 2 of the procedure is inten¬ 
tionally left underspecified because it can be done in a number of ways. Having a good 
heuristic for such instantiations is, however, critical to the effectiveness of the procedure 
in practice. In a Z’-theory T, like integer arithmetic, with a fixed interpretation for sym¬ 
bols in E and a distinguished set of ground Z'-terms denoting the elements of a sort, a 
simple, if naive, choice for t in Figure[T]is the distinguished term denoting the element 
e^. For instance, if cr is Int in integer arithmetic, t could be a concrete integer constant 
(0, ±1, ±2,...). This choice amounts to testing whether points in the codomain of the 
sought function / satisfy the original specification P. 

More sophisticated choices for t, in particular where t contains the variables x, 
may increase the generalization power of this procedure and hence its ability to find a 
solution. For instance, our present implementation in the CVC4 solver relies on the fact 
that the model F in Step 2 is constructed from a set of equivalence classes over terms 
computed by the solver during its search. The procedure selects the term t among those 
in the equivalence class of e, other than e itself. For instance, consider formula (l6]l from 
the previous example that encodes the single-invocation form of the specification for 
the max function. The DPLL(T) architecture, on which CVC4 is based, finds a model 
for Q[a,e] with a = ( 31 , 82 ) only if it can first find a subset M of that formula’s 
literals that collectively entail Q[a, e] at the propositional level. Due to the last conjunct 
of (|6]l, M must include either e « ai or e 32. Hence, whenever a model can be 
constructed for Q[a, e], the equivalence class containing e must contain either 3i or 32 . 
Thus using the above selection heuristic, the procedure in Figure [T] will, after at most 
two iterations of the loop in Step 2, add the instances ^Q[a, 3i] and -^Q[a, 32 ] to F. As 
noted in Example[T] these two instances are jointly T-unsatisfiable. We expect that more 
sophisticated instantiation techniques can be incorporated. In particular, both quantifier 
elimination techniques cmii and approaches currently used to infer invariants from 
templates mum are likely to be beneficial for certain classes of synthesis problems. 
The advantage of developing these techniques within an SMT solver is that they directly 
benefit both synthesis and verification in the presence of quantified conjectures, thus 
fostering cross-fertilization between different fields. 
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Vxye\/{xi,x,y) « x Vsi S2 *2/ev(leq(si, S2), t/) « (ev(si,x,y) < ev(s2,x,2/)) 

yxyev(x2,x,y) « y Vsi S2 x 1/ev(eq(si, S2), x, t/) « (ev(si,x,j/) « ev(s2,x,t/)) 

Vxi/ ev(zero, x, y) « 0 Vci C2 xy ev(and(ci, C2), x, y) « (ev(ci, x, y) A ev(c2, x, y)) 

Vxy ev(one, X, y) « 1 Vex y ev(not(c), x, y) « -'ev(c, x,y) 

Vsi S2 xy ev(plus(si, S2), x, y) si ev(si,x,y) + ev(s2, x, y) 

Vsi S2 xy ev(minus(si, S2),x,y) « ev(si, x, y) - ev(s2,x,y) 

Vcsi S2 xy ev(if(c, si, S2),x,y) « ite(ev(c, x,y), ev(si, x, y), ev(s2, x, y)) 


Fig. 2 . Axiomatization of the evaluation operators in grammar R from Example| 2 l 

4 Refutation-Based Syntax-Guided Synthesis 


In syntax-guided synthesis, the functional speciheation is strengthened by an accom¬ 
panying set of syntactic restrictions on the form of the expected solutions. In a recent 
line of work EElEa these restrictions are expressed by a grammar R (augmented 
with a kind of let binder) dehning the language of solution terms, or programs, for the 
synthesis problem. In this section, we present a variant of the approach in the previ¬ 
ous section that incorporates the syntactic restriction directly into the SMT solver via a 
deep embedding of the syntactic restriction R into the solver’s logic. The main idea is 
to represent i? as a set of algebraic datatypes and build into the solver an interpretation 
of these datatypes in terms of the original theory T. 

While our approach is parametric in the background theory T and the restriction R, 
it is best explained here with a concrete example. 

Example 2. Consider again the synthesis conjecture (|6]l from Example[T]but now with 
a syntactic restriction R for the solution space expressed by these algebraic datatypes; 

S := Xi I X 2 I zero | one | plus(S, S) | minus(S, S) | if(C,S, S) 

C := leq(S,S) | eq(S,S) | and(C,C) | not(C) 

The datatypes are meant to encode a term signature that includes nullary constructors 
for the variables Xi and X 2 of (lUl, and constructors for the symbols of the arithmetic 
theory T. Terms of sort S (resp., C) refer to theory terms of sort Int (resp., Bool). 

Instead of the theory of linear integer arithmetic, we now consider its combination 
Td with the theory of the datatypes above extended with two evaluation operators, that 
is, two function symbols and respectively embedding 

S in Int and C in Bool. We dehne Td so that all of its models satisfy the formulas in 
Figure I 2 ] The evaluation operators effectively dehne an interpreter for programs (i.e., 
terms of sort S and C) with input parameters xi and X 2 - 

It is possible to instrument an SMT solver that support user-dehned datatypes, quan- 
tihers and linear arithmetic so that it constructs automatically from the syntactic restric¬ 
tion R both the datatypes S and C and the two evaluation operators. Reasoning about 
S and C is done by the built-in subsolver for datatypes. Reasoning about the evalua¬ 
tion operators is achieved by reducing ground terms of the form ev{d, ^ 1 ,^ 2 ) to smaller 
terms by means of selected instantiations of the axioms from Figure |2] with a number 
of instances proportional to the size of term d. It is also possible to show that Td is 
satisfaction complete with respect to the class 

La := {3gyzP[Xz.e\/{g,z), x] \ P[f,x] G P} 


On Counterexample Guided Quantifier Instantiation for Synthesis in CVC4 


9 


1 . r — 0 

2. Repeat 

(a) Let k be a tuple of distinct fresh constants. 

If there is a model X of Td satisfying X and G, then F := L U Pev[e^,k]}; 
otherwise, return “no solution found” 

(b) If there is a model X of Td satisfying F, then F := L U {G Avfe, k"^]} ; 
otherwise, return as a solution 

Fig.3. A refutation-based syntax-guided synthesis procedure for 3/Va: Pev[f, a;]. 

where instead of terms of the form /(fi, ^ 2 ) in P we have, modulo /3-reductions, terms 
of the form ev{g, Q, f 2 )llFor instance, the formula P[f, x] in Equation (|5]l fromExam- 
ple[T]can be restated in Td as the formula below where 5 is a variable of type S; 

Pev[5, x] := ev(p, a;) > xi A ev(p, a:) > 3:2 A (ev(p, a;) « cci V ev( 5 , x) Ri X 2 ) 

In contrast to P[/, a:], the new formula Pev[g, a:] is first-order, with the role of the 
second-order variable / now played by the first-order variable g. 

When asked for a solution for (|5]l under the restriction R, the instrumented SMT 
solver will try to determine instead the Td- unsatisfiability of Vp 3a; -iPev[ff, x\. Instan¬ 
tiating p in the latter formula with s := if(leq(xi,X 2 ),X 2 ,Xi), say, produces a formula 
that the solver can prove to be TD-unsatisfiable. This suffices to show that the program 
ite(a;i < X 2 , 3 : 2 , a:i), the analogue of s in the language of T, is a solution of the synthe¬ 
sis conjecture © under the syntactic restriction R. ■ 

To prove the unsatisfiability of formulas like Mg 3x ^P^m [ 5 , a;] in the example above 
we use a procedure similar to that in Section [3 but specialized to the extended theory 
Td. The procedure is described in Figure |3] Like the one in Figure [T] it uses an unin¬ 
terpreted constant e representing a solution candidate, and a Boolean variable G repre¬ 
senting the existence of a solution. The main difference, of course, is that now e ranges 
over the datatype representing the restricted solution space. In any model of Td, a term 
of datatype sort evaluates to a term built exclusively with constructor symbols. This is 
why the procedure returns in Step |2b] the value of e in the model I found in Ster)l2al 
As we showed in the previous example, a program that solves the original problem can 
then be reconstructed from the returned datatype term. 

Implementation. We implemented the procedure in the CVC4 solver. Figure |4] shows 
a run of that implementation over the conjecture from Example |2] In this run, note 
that each model found for e satisfies all values of counterexamples found for previ¬ 
ous candidates. After the sixth iteration of Step|2al the procedure finds the candidate 
if (leq (xi, X 2 ), X 2 , Xi), for which no counterexample exists, indicating that the procedure 
has found a solution for the synthesis conjecture. Currently, this problem can be solved 
in about 0.5 seconds in the latest development version of CVC4. 

To make the procedure practical it is necessary to look for small solutions to synthe¬ 
sis conjectures. A simple way to limit the size of the candidate solutions is to consider 

® We stress again, that both the instrumentation of the solver and the satisfaction completeness 
argument for the extended theory are generic with respect to the syntactic restriction on the 
synthesis problem and the original satisfaction complete theory T. 
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Step 

Model 


Added Formula 


{e !->■ xi,...} 


-iPev[xi, ai, bi] 

M 

{ai 1 —¥ 0 , bi 1 —¥ 1 ,.. 

•} 

G ^ Pev[e, 0 , 1 ] 

[ 2 i] 

{e !->■ X2,...} 


-'Pev[x 2 , 32 , b 2 ] 

M 

{32 1 —¥ 1 , b 2 1 —¥ 0 , . . 

•} 

G ^ Pev[e, 1 , 0 ] 

Hi] 

{e M- one,...} 


-.Pev[one, 33 , bs] 

M 

{33 \—¥ 2, bs 1-^ 0,.. 

•} 

G Pev[e, 2 , 0 ] 

Hi) 

{e n- plus(xi,X2),. 


-iPev[plus(xi,X2),a4,b4] 

M 

- 1^34 1 —¥ 1, b 4 1 —¥ 1, . . 

•} 

G ^ Pev[e, 1 , 1 ] 

[2al 

{e if(leq(xi,one 

),one,xi),...} 

-.P<.„[if(leq(xi, one), one, xi), 35, bs] 

M 

{35 1-^ 1, bs 1-^ 2,.. 

•} 

G ^ Pev[e, 1 , 2 ] 

Hi) 

{e M- if(leq(xi,X2), 

X2,Xl),...} 

-.P<.„[if(leq(xi, X2), X2, xi), ae, be] 

M 

none 




For i = 1 ,..., 6, ai and b; are fresh constants of type Int. 

Fig. 4 . A run of the procedure from Figure [3 

smaller programs before larger ones. Adapting techniques for finding finite models of 
minimal size ll25l . we use a strategy that starting, from n = 0, searches for programs 
of size n + 1 only after its has exhausted the search for programs of size n. In solvers 
based on the DPLL(T) architecture, like CVC4, this can be accomplished by introducing 
a splitting lemma of the form (size(e) < 0 V -isize(e) < 0) and asserting size(e) < 0 
as the hrst decision literal, where size is a function symbol of type cr —I nt for every 
datatype sort a and stands for the function that maps each datatype value to its term 
size (i.e., the number of non-nullary constructor applications in the term). We do the 
same for size(e) < 1 if and when -isize(e) < 0 becomes asserted. We extended the 
procedure for algebraic datatypes in CVC4 0 to handle constraints involving size. The 
extended procedure remains a decision procedure for input problems with a concrete 
upper bound on terms of the form size(u), for each variable or uninterpreted constant u 
of datatype sort in the problem. This is enough for our purposes since the only term u 
like that in our synthesis procedure is e. 

Proposition 2. With the search strategy above, the procedure in Figure [3 has the fol¬ 
lowing properties; 

1. (Solution Soundness) Every term it returns can be mapped to a solution of the 
original synthesis conjecture 3/Va; P[f, x] under the restriction R. 

2. (Refutation Soundness) If it answers “no solution found”, the original conjecture 
has no solutions under the restriction R. 

3. (Solution Completeness) If the original conjecture has a solution under R, the pro¬ 
cedure will hnd one. 

Proof: To show solution soundness, consider the case when the procedure returns 
as a solution. Then, F U ^Pe\,\e^, k] is TD-unsatishable for some P, k, where P 
is TD-satishable and k is a tuple of distinct fresh constants. Since k are fresh, P U 
3a; -iPev[e^, x] is TD-unsatishable. Since T is TD-satishable and TU3a; -iTev[e^, x] is 
not, then at least one model of Td (namely, one for T) does not satisfy 3a; -iPev[e^, a;]. 
Thus, since Td is satisfaction complete, no models of Td satisfy 3a; -iPev[e^, x], and 
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thus all models of Td satisfy Mx Pev[e^, x\. Assuming our translation from P to Pev 
is faithful, the analogue of in the language of T is a solution for the conjecture 
3fyxP[f,x]. 

To show refutation soundness, consider the case when the procedure returns “no 
solution found”. Then, there exists a P = {P' U G ^ Pev[e, k*^]) such that P' is Td- 
satisfiable, and PUG is PD-tmsatisfiable. Clearly based on the clauses added by the pro¬ 
cedure, we have that P is equivalent to P"UG => (Pev[e, Ui]A. . .APev[e, u^,]), for some 
Ui... u„ where P" C P' is Pn-satisfiable and does not contain G or e. Since P U G is 
TD-unsatisfiable, we have that P"UPev[e, Ui] A.. .APev[e, u„] is TD-unsatisfiable. Since 
P" does not contain e, r"\j 3 y (Pev[t/, Ui] A .. .APev[y, u^]) is TD-unsatisfiable. Since 
Td is satisfaction complete and P" is TD-satisfiable, 3 y {Pev[y, Ui] A ... A Pev[y, Un]) 
is TD-unsatisfiable. Thus, 3 y (Pev[j/, Ui] A... APev[y, u„]) is TD-unsatisfiable, and thus 
3 yyx Pev[y, x] is TD-unsatisfiable. Assuming our translation from P to Pev is faithful, 
this implies there is no solution for the conjecture 3/ Vat P[f, x]. 

Given solution and refutation soundness of the procedure, to show the procedure is 
solution complete, it suffices to show that the procedure terminates when the original 
conjecture has a solution under R. Let Xx.the such a solution, and let d be the analogue 
of t in the language of Td. Let n be equal to the number of datatypes of the same type 
as d that are at most the size of d, which we know is finite. For i = 1, 2,..., let T^ and 
jTj be the models found on the iteration of Steps|2a]and|2b]respectively. Assume the 
procedure runs at least k iterations, and let 1 < j < k. Since satisfies -iPev[e^-’, k], 
all models of Td satisfy -iPev ] since Td is satisfaction complete. Since T^ 

satisfies G, it must also satisfy Pev[e, and thus ^ pA Thus, each ... 

is distinct, and the procedure in Figure^executes at most n iterations of Step|2a] Since 
the background theory Td is decidable. Steps |2a] and |2b] are terminating, and thus the 
procedure is terminating when a solution exists. ■ 

Note that by this proposition the procedure can diverge only if the input synthesis 
conjecture has no solution. 


5 Single Invocation Techniques for Syntax-Guided Problems 

In this section, we considered the combined case of single-invocation synthesis conjec¬ 
tures with syntactic restrictions. Given a set R of syntactic restrictions expressed by a 
datatype S for programs and a datatype C for Boolean expressions, consider the case 
where (i) S contains the constructor iftCxSxS—5>S (with the expected meaning) 
and (ii) the function to be synthesized is specified by a single-invocation property that 
can be expressed as a term of sort C. This is the case for the conjecture from Example|2] 
where the property Tev[<7, x] can be rephrased as: 

Pc[g,x] := ev(and(leq(xi,5),and(leq(x2,5),or(eq(5,Xi),eq(5,X2)))),a;) (7) 

where again g has type S, x = {xi,X 2 ), and xi and X 2 have type Int. The procedure 
in Figure [T] can be readily modified to apply to this formula, with Pc[g, k] and g taking 
the role respectively of Q[k, y] and y in that figure, since it generates solutions meeting 
our syntactic requirements. Running this modified procedure instead the one in Figure[3] 
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1 . := ti 

2 . for i = 1, 2,... 

(a) (s, D) := rcon(f', S, A); 

(b) if U is empty, return s; otherwise, for each datatype Dj occurring in U 

let di be the term in a fair enumeration of the elements of Dj 
let ti be the analogue of di in the background theory T 
add {til, to A 


rcon(f, D, A) 

if (t, s, D) G A, return (s, 0); otherwise, do one of the following: 

( 1 ) choose a f{ti,... ,tn) s.t. f{ti,... ,tn)l = t and / has an analogue jj 

let {si, Ui) = rcon(fi4^, Di, A) for i = 1,... ,n 

return (/(si,..., s„), 17r U ... U Un) 

(2) return {t,{{t,D)}) 

Fig. 5. A procedure for finding a term equivalent to t that meets the syntactic restrictions specified 
by datatype S. 

has the advantage that only the outputs of a solution need to be synthesized, not con¬ 
ditions in ite-terms. However, in our experimental evaluation found that the overhead 
of using an embedding into datatypes for syntax-guided problems is significant with 
respect to the performance of the solver on problems with no syntactic restrictions. For 
this reason, we advocate an approach for single-invocation synthesis conjectures with 
syntactic restrictions that runs the procedure from Figure[T]as is, ignoring the syntactic 
restrictions R, and subsequently reconstructs from its returned solution one satisfying 
the restrictions. For that it is useful to assume that terms f in T can be effectively re¬ 
duced to some (T-equivalent and unique) normal form, which we denote by tf. 

Say the procedure from Figure [T] re turns a solution Xx. t for a function /. To con¬ 
struct from that a solution that meets the syntactic restrictions specified by datatype S, 
we run the iterative procedure described in Figure|5] This procedure maintains an evolv¬ 
ing set A of triples of the form (t, s, D), where D is a datatype, f is a term in normal 
form, s is a term satisfying the restrictions specified by D. The procedure incrementally 
makes calls to the subprocedure rcon, which takes a normal form term t, a datatype D 
and the set A above, and returns a pair (s, U) where s is a term equivalent to t in T, and 
U is a set of pairs (s', D') where s' is a subterm of s that fails to satisfy the syntactic 
restriction expressed by datatype D'. Overall, the procedure alternates between calling 
rcon and adding triples to A until rcon(f, D, A) returns a pair of the form (s, 0), in 
which case s is a solution satisfying the syntactic restrictions specified by S. 

Example 3. Say we wish to construct a solution equivalent to Axi X 2 .xi + {2*X2) that 
meets restrictions specified by datatype S from Example |2] To do so, we let A = (h, 
and call rcon((a:i -f (2 * X 2 )) 4-)S, A). Since A is empty and -f is the analogue of 
constructor plus^^^ of S, assuming {xi -I- (2 = 1 = X 2 )) j, = xi -I- (2 = 1 = X 2 ), we may choose 
to return a pair based on the result of calling rcon on xi I and (2 = 1 = X 2 ) 4- Since is a 
constructor of S and xil = xi, rcon(a;i, S, A) returns {xi, 0). Since S does not have a 
constructor for *, we must either choose a term t such that 11 = {2 * X 2 ) i- where the 
topmost symbol of t is the analogue of a constructor in S, or otherwise return the pair 
(2 = 1 = 0 : 2 , {(2 = 1 = X 2 , S)}). Suppose we do the latter, and thus rcon(a;i -I- (2 * X 2 ), S, A) 
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returns (a:i + (2 * X 2 ), {(2 = 1 = X 2 , S)}). Since the second component of this pair is not 
empty, we pick in Step |2b] the first element of S, Xi say, and add (a;i,xi,S) to A. 
We then call rcon((xi + (2 = 1 = X 2 )) S, A) which by the same strategy above returns 
(xi + (2 =i=X2 ), {(2 =i=X2 , S)}). This process continues until we pick, the term plus(x 2 , X 2 ) 
say, whose analogue is X 2 +X 2 - Assuming {x 2 +X 2 )i = ( 2 ^x 2 ) 4-, after adding the pair 
(2*X2,X2 + X 2 , S) to A, rcon((xi + (2*X2))4,, S, A) returns the pair (xi + (x 2 +X 2 ), 0), 
indicating that Axi X2. xi + (x2 + X2) is equivalent to Axi X 2 - xi + ( 2 * X2), and meets 
the restrictions specified by S. ■ 

This procedure depends upon the use of normal forms for terms. It should be noted 
that, since the top symbol of t is generally ite, this normalization includes both low-level 
rewriting of literals within t, but also includes high-level rewriting techniques such as ite 
simplification, redundant subterm elimination and destructive equality resolution. Also, 
notice that we are not assuming that f = sj, if and only if t is equivalent to s, and thus 
normal forms only underapproximate an equivalence relation between terms. Having a 
(more) consistent normal form for terms allows us to compute a (tighter) underapproxi¬ 
mation, thus improving the performance of the reconstruction. In this procedure, we use 
the same normal form for terms that is used by the individual decision procedures of 
CVC4. This is unproblematic for theories such as linear arithmetic whose normal form 
for terms is a sorted list of monomials, but it can be problematic for theories such as 
bitvectors. As a consequence, we use several optimizations, omitted in the description 
of the procedure in Figure |5] to increase the likelihood that the procedure terminates 
in a reasonable amount of time. For instance, in our implementation the return value 
of rcon is not recomputed every time A is updated. Instead, we maintain an evolving 
directed acyclic graph (dag), whose nodes are pairs (f, S) for term t and datatype S 
(the terms we have yet to reconstruct), and whose edges are the direct subchildren of 
that term. Datatype terms are enumerated for all datatypes in this dag, which is incre¬ 
mentally pruned as pairs are added to A until it becomes empty. Another optimization 
is that the procedure rcon may choose to try simultaneously to reconstruct multiple 
terms of the form /(fi,..., when matching a term f to a syntactic specification S, 
reconstructing t when any such term can be reconstructed. 

Although the overhead of this procedure can be significant when large subterms 
do not meet the syntactic restrictions, we found that in practice it quickly terminates 
successfully for a majority of the solutions we considered where reconstruction was 
possible, as we discuss in the next section. Furthermore, it makes our implementation 
more robust, since it effectively treats in the same way different properties that are equal 
modulo normalization (which is parametric in the built-in theories we consider). 

6 Experimental Evaluation 

We implemented the techniques from the previous sections in the SMT solver CVC4 a, 
which has support for quantified formulas and a wide range of theories including arith¬ 
metic, bitvectors, and algebraic datatypes. We evaluated our implementation on 243 
benchmarks used in the SyGuS 2014 competition m that were publicly available on 
the StarExec execution service The benchmarks are in a new format for speci¬ 
fying syntax-guided synthesis problems ll22ll . We added parsing support to CVC4 for 
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array (32) 
# time 

bv (7) 

# time 

hd (56) 

# time 

icfp (50) 

# time 

int (15) 

# time 

let (8) 

# time 

multf (8) 

# time 

Total (176) 

# time 

esolver 

4 

2250.7 

2 

71.2 

50 

878.5 

0 

0 

5 

1416.7 

2 

0.0 

7 

0.6 

70 

4617.7 

cvc4+sg 


3.1 

0 

0 

34 

4308.9 

1 

0.5 

3 

1.7 

2 

0.5 

7 

628.3 

48 

4943 

cvc4+si-r 

(32) 

1.2 

(6) 

4.7 

(56) 

2.1 

(43) 3403.5 

(15) 

0.6 

(8) 

1.0 

(8) 

0.2 

(168) 3413.3 

cvc4+si 

30 

1449.5 

5 

0.1 

52 

2322.9 

0 

0 

6 

0.1 

2 

0.5 

7 

0.1 

102 

3773.2 


Fig. 6. Results for single-invocation synthesis conjectures, showing times (in seconds) and num¬ 
ber of benchmarks solved by each solver and configuration over 8 benchmark classes with a 
3600s timeout. The number of benchmarks solved by configuration cvc4-rsi-r are in parentheses 
because its solutions do not necessarily satisfy the given syntactic restrictions. 

most features of this format. All SyGuS benchmarks considered contain synthesis con¬ 
jectures whose background theory is either linear integer arithmetic or bitvectors. We 
made some minor modifications to benchmarks to avoid naming conflicts, and to ex¬ 
plicitly define several bitvector operators that are not supported natively by CVC4. 

We considered multiple configurations of CVC4 corresponding to the techniques 
mentioned in this paper. Configuration cvc4-Hsg executes the syntax-guided procedure 
from SectionlH even in cases where the synthesis conjecture is single-invocation. Con¬ 
figuration cvc4-Hsi-r executes the procedure from Section |3] on all benchmarks having 
conjectures that it can deduce are single-invocation. In total, it discovered that 176 of 
the 243 benchmarks could be rewritten into a form that was single-invocation. This 
configuration simply ignores any syntax restrictions on the expected solution. Finally, 
configuration cvc4-Hsi uses the same procedure used by cvc4-Hsi-r but then attempts to 
reconstruct any found solution as a term in required syntax, as described in Section|5] 

We ran all configurations on all benchmarks on the StarExec cluster0 We pro¬ 
vide comparative results here primarily against the enumerative CEGIS solver ES- 
OLVER IJTI . the winner of the SyGuS 2014 competition. In our tests, we found that 
ESOLVER performed significantly better than the other entrants of that competition. 

Benchmarks with single-invocation synthesis conjectures. The results for bench¬ 
marks with single-invocation properties are shown in Eigure|6] Configuration cvc4-Hsi-r 
found a solution (although not necessarily in the required language) very quickly for a 
majority of benchmarks. It terminated successfully for 168 of 176 benchmarks, and in 
less than a second for 159 of those. Not all solutions found using this method met the 
syntactic restrictions. Nevertheless, our methods for reconstructing these solutions into 
the required grammar, implemented in configuration cvc4-Hsi, succeeded in 102 cases, 
or 61% of the total. This is 32 more benchmarks than the 70 solved by ESOLVER, the 
best known solver for these benchmarks so far. In total, cvc4-Hsi solved 34 benchmarks 
that ESOLVER did not, while ESOLVER solved 2 that cvc4-Hsi did not. 

The solutions returned by cvc4-Hsi-r were often large, having an order of lOK sub¬ 
terms for harder benchmarks. However, after exhaustively applying simplification tech¬ 
niques during reconstruction with configuration cvc4-Hsi, we found that the size of those 
solutions is comparable to other solvers, and in some cases even smaller. Eor instance, 
among the 68 benchmarks solved by both ESolver and cvc4-Hsi, the former produced 
a smaller solution in 15 cases and the latter in 9. Only in 2 cases did cvc4-Hsi produce 
a solution that had 10 more subterms than the solution produced by ESOLVER. This 
indicates that in addition to having a high precision, the techniques from Section|5]used 


A detailed summary can be found at http; //lara.epfi. ch/w/cvc4-synthesis 
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int (3) 

# time 

invgu (28) 
# time 

invg (28) 
# time 

vctrl (8) 
# time 

Total (67) 
# time 

esolver 

cvc4+sg 

3 1.6 

3 1476.0 

25 86.3 
23 811.6 

25 85.6 
22 2283.2 

5 29.5 

5 2933.1 

58 203.0 
53 7503.9 


Fig. 7. Results for synthesis conjectures that are not single-invocation, showing times (in seconds) 
and numbers of benchmarks solved by CVC4 and ESolver over 4 benchmark classes with a 
3600s timeout. 

for solution reconstruction are effective also at producing succinct solutions for this 
benchmark library. 

Configuration cvc4-i-sg does not take advantage of the fact that a synthesis conjec¬ 
ture is single-invocation. However, it was able to solve 48 of these benchmarks, includ¬ 
ing a small number not solved by any other configuration, like one from the icfp class 
whose solution was a single argument function over bitvectors that shifted its input right 
by four bits. In addition to being solution complete, cvc4-i-sg always produces solutions 
of minimal term size, something not guaranteed by the other solvers and CVC4 con¬ 
figurations. Of the 47 benchmarks solved by both cvc4-i-sg and ESOLVER, the solution 
returned by cvc4-i-sg was smaller than the one returned by ESOLVER in 6 cases, and had 
the same size in the others. This provides an experimental confirmation that the fairness 
techniques for term size described in Section|4]ensure minimal size solutions. 

Benchmarks with non-single-invocation synthesis conjectures. Configuration 
cvc4-Hsg is the only CVC4 configuration that can process benchmarks with synthesis 
conjectures that are not single-invocation. The results for ESOLVER and cvc4-Hsg on 
such benchmarks from SyGuS 2014 are shown in Eigure|7] Configuration cvc4-Hsg 
solved 53 of them over a total of 67. ESolver solved 58 and additionally reported 
that 6 had no solution. In more detail, ESolver solved 7 benchmarks that cvc4-Hsg did 
not, while cvc4-Hsg solved 2 benchmarks (from the vctrl class) that ESOLVER could 
not solve. In terms of precision, cvc4-Hsg is quite competitive with the state of the art 
on these benchmarks. To give other points of comparison, at the SyGuS 2014 compe¬ 
tition III the second best solver (the Stochastic solver) solved 40 of these benchmarks 
within a one hour limit and Sketch solved 23. 

Overall results. In total, over the entire SyGuS 2014 benchmark set, 155 benchmarks 
can be solved by a configuration of CVC4 that, whenever possible, runs the methods 
for single-invocation properties described in Section |3 and otherwise runs the method 
described in Section |4] This number is 27 higher than the 128 benchmarks solved in 
total by ESolver. Running both configuration cvc4-Hsg and cvc4-Hsi in parallel solves 
156 benchmarks, indicating that CVC4 is highly competitive with state-of-the-art tools 
for syntax guided synthesis. CVC4’s performance is noticeably better than ESOLVER on 
single-invocation properties, where our new quantifier instantiation techniques give it a 
distinct advantage. 

Competitive advantage on single-invocation properties in the presence of ite. We 

conclude by observing that for certain classes of benchmarks, configuration cvc4-Hsi 
scales significantly better than state-of-the-art synthesis tools. Eigure [8] shows this in 
comparison with ESOLVER for the problem of synthesizing a function that computes 


CVC4 has a portfolio mode that allows it to run multiple configurations at the same time. 
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n 

2 

3 

4 

5 

6 

7 

8 

9 

10 

esolver 

0.01 

1377.10 

- 

- 

- 

- 

- 

- 

- 

cvc4+si 

0.01 

0.02 

0.03 

0.05 

0.1 

0.3 

1.6 

8.9 

81.5 


Fig. 8. Results for parametric benchmarks class encoding the maximum of n integers. The 
columns show the run time for ESolver and CVC4 with a 3600s timeout. 

the maximum of n integer inputs. As reported by Alur et al. HI, no solver in the SyGuS 
2014 competition was able to synthesize such a function for n = 5 within one hour. 

For benchmarks from the array class, whose solutions are loop-free programs that 
compute the first instance of an element in a sorted array, the best reported solver for 
these in HI was Sketch, which solved a problem for an array of length 7 in approx¬ 
imately 30 minutes0 In contrast, cvc4-Hsi was able to reconstruct solutions for arrays 
of size 15 (the largest benchmark in the class) in 0.3 seconds, and solved each of the 
benchmarks in the class but 8 within 1 second. 


7 Conclusion 

We have shown that SMT solvers, instead of just acting as subroutines for automated 
software synthesis tasks, can be instrumented to perform synthesis themselves. We have 
presented a few approaches for enabling SMT solvers to construct solutions for the 
broad class of syntax-guided synthesis problems and discussed their implementation in 
CVC4. This is, to the best of our knowledge, the first implementation of synthesis inside 
an SMT solver and it already shows considerable promise. Using a novel quantifier 
instantiation technique and a solution enumeration technique for the theory of algebraic 
datatypes, our implementation is competitive with the state of the art represented by the 
systems that participated in the 2014 syntax-guided synthesis competition. Moreover, 
for the important class of single-invocation problems when syntax restrictions permit 
the if-then-else operator, our implementation significantly outperforms those systems. 
Acknowledgments. We would like to thank Liana Hadarean for helpful discussions on 
the normal form used in CVC4 for bit vector terms. 
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